Hacking QR codes for fun and profit

QR codes are everywhere these days, from being printed onto receipts to chiseled into granite tombstones. [Will] came up with a way to modify existing QR codes, and his hack has the potential to cause quite a bit of harmless mischief.

[Will]‘s hack involves a little photo editing, transparency film, and some white-out/Liquid Paper/Tippex. After the ‘target’ and ‘destination’ QR codes have been imported into Gimp, the differences are found and the result printed out on a transparency sheet. After that,  hang the transparency over the original and the QR code now goes to the URL of your choice.

On a ‘high’ level of error correction, a lot of neat stuff can be done with the design of a QR code including putting logos inside a QR code by modifying the 359 ‘data pixels’ of a 25×25 code. We’re wondering if anyone has ever written a script to exploit the error correction of QR codes. In any event, it is possible to brute-force changes until the least number of pixels are changed.

The ISO 18004 standard is available online if anyone would like to take up that challenge. If a Hack A Day reader figures it out, send in the code on the tip line and we’ll put that right up.

Comments

  1. Zee says:

    http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes/

    If you modify QR codes this way you’re an asshole. This is not about security it’s about fucking over people when they want to save time.

    • Tel says:

      You need to relax. A prank is a prank. If you are soooo distraught over losing a couple seconds that you COULD have used to easily type out the address manually, then you really need to rethink your priorities.

    • jaded says:

      Actually, this is valuable as a teaching tool. People need to understand that just because the words says “google” doesn’t mean that’s what the black-and-white blocks have in them.

      Nothing is easier to forge than a barcode, because most humans simply can’t read them. They can’t inherently know if they’re looking at a good one or a malicious one.

      I see too many people who simply trust barcodes completely. They confuse the human readable for the data. Or they think it’s a good idea to slap on a barcode that represents the actual value instead of a pointer to the value (coupons).

      For that matter, you can even do SQL barcode injection attacks just like on the web. Some guy presented it at C3 a couple years ago where he hacked a video rental kiosk by injecting bad barcodes. Do you still think it’s a great idea to have your cash register scan your customer’s iPhone screen, Starbucks?

    • Xo Jo says:

      I believe it is a reasonable teaching tool as well. The reason is very clear— If a person can manipulate the code this way, then what do you think they can do to your bank account information if or when you cash a check using this thing. Sometimes the easiest way to do something is not always the best way, and I believe this teaches the limitations, and problems with this type code.

  2. icebrain says:

    Real link is a search away: http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes/

    (the author probably edited the post so the date in the URL changed.)

  3. matseng says:

    Correct link is http://wordpress.mrreid.org/2011/08/06/hacking-qr-codes

    Not too hard to find yourself unless you’re a lazy sob that just likes to complain….

  4. nave.notnilc says:

    surely the true hack would be doing it with just a marker or something :P

    • I’m sure it would be possible to modify a QR code with just a marker, but you’ll invariably run into situations where you’ll need to change a black pixel to a white pixel.

      Looking at the ISO spec, it’s possible, but I can’t find anything on a script that will find the most efficient change from an original QR code to a ‘target’ code.

  5. zehn says:

    would it not be easier to print on a white sticker and place that over the qr code.

    • zs says:

      I was thinking the same thing. then you could just produce your code in mass, and stick them not only over other ones but anywhere in general.

    • jjpertusch says:

      100% what i was thinking. I guess the only advantage is that a transparent film could hang over anything where as a white paper could potentially look out of place against a colored background.

  6. daniel says:

    wouldnt it be easier to generate a completly new on with the right size and just glue it over the old one?

    • nerdrage says:

      yes mon frere, yes it would. With the right type of sticker paper it would look official, albeit an official afterthought.

      Now I need a deck of pain series QR stickers in my wallet at all times.

  7. baobrien says:

    Aaand it’s back

  8. Logan says:

    Hey guys, didn’t you read the post a couple days ago about Hackaday cleaning up their comments policy? Umm… d and zee you really need to take a peek. I’d say Matseng you too. http://hackaday.com/2011/07/27/hackaday-comment-policy-were-cleaning-up/

  9. hugo says:

    I was thinking about this the other day when I noticed lots of stores hanging this on their windows for easy access to their website.

    Excellent “rick rollin'” target if you ask me.

    @Zee: QR codes are inherently unsafe. It is unwise to use them; at least with a URL you can see what it’s visiting. For all, it could link to a PDF file exploiting native browser or operating system vulnerabilities… THAT would be really nasty…

    • Drake says:

      Excellent idea … We make a site that uses flash/pdf/whatever exploit to install a rickroll spyware.

      Software Description:

      Sit silently until a set of events occur (eg the user types “Rick”). Then turn the volume down low and play pieces of “Never Going To Give You Up”. The target will have that song stuck in their heads and not know why! Epic trolling!

    • RunnerPack says:

      I’ve only used one QR code reader (on my Android phone) but I would assume they all show you the decoded information and make you press a button to view the data (e.g. browse to the URL). Besides that, some codes aren’t even a URL at all, just text, etc.

      Now, that doesn’t remove the danger of “phishing” using a URL that, at first glance, looks legit, but that doesn’t make QR codes any more “inherently unsafe” than human-readable codes, if you’re paying attention.

  10. Mad Myche says:

    @zehn is right on. Just like people hack UPCs when they go school shopping to make the $100 Super Deluxe Graphing calculator cost $50

  11. Hamtaro says:

    This is just silly. As an aside. A lot of advertisement posters are actually put up illegally. So, the better question is: Is vandalizing a vandal’s work really morally evil?

  12. bootc says:

    The BBC hacked a QR code to put their logo in some time ago: http://2d-code.co.uk/bbc-logo-in-qr-code/

  13. gdogg says:

    Umm.. why would you waste your time overlaying it and manually drawing in the white splotches when you could just print the QR code straight up and paste it over top or something similar?

    I get how the idea is neat, but it’s never pratical.

  14. Little example, how strong is error correcting alghoritm in QR.

    And my little business card ;P

  15. Stevie says:

    If you’re going to stick something over it then you may as well stick a whole new code sticker over it.

  16. wahacks says:

    must…change…all…qr codes…to…goatse

  17. MS3FGX says:

    I thought this was an interesting bit of research into how to analyze QRs and find their differences…but yeah, in practice it would make much more sense to simply cover over the entire QR.

    Like already said, if you are going to physically stick something over the code in the first place, you might as well replace the whole thing.

  18. Some Asshole says:

    A friend and I had discussed this very thing, and had our Facebook profile pics set as QR codes.

    His led to a page that said “You just lost the game”

    Mine led to Goatse

    The comedy potential for this is near-infinite.

    Protest Signs (HELLO news) are wonderful targets

  19. Some Asshole says:

    **** WARNING****

    this leads to Goatse, via a QR code

    http://tinypic.com/r/35clylz/7

    (you won’t get goatse on the link – just the QR code)

    ****WARNING****

  20. edonovan says:

    I’m not sure why you would need to, but you could place these overlays on your own ad like a flip chart to have multiple QR codes without needing to take up more space on your advertisement.

  21. Roger says:

    QR Code ‘switching’ or ‘code-jacking’ in this old post on 2d-code.

  22. Frogz says:

    i for one appreciate this for 1 reason
    he didnt take the obvious route of simply replacing it(which would work alot better)
    he went the needlessly complicated route for 1 reason
    because he can appear geekier than ever!

  23. Marc says:

    @edonovan: That’s actually a really good idea!

    I did that designing a couple of days ago, its actually quite fun :)

  24. Isotope says:

    IMHO replacing a QR code isn’t much different from giving someone an obscure url like lemonparty…Or one that is supposed to look legit like bankofamerica.123.com. So in essence it’s not really a new thing.

  25. signal7 says:

    I predict that this will be the next wave in advertising. In the same way that websites have integrated ads until the usefulness of the web has been reduced to the point where I won’t go online without an adblocker, advertisers will start plastering QR codes all over the place. The fact that people can’t just look at a QR code and know what it says or where it goes makes most people an easy target. Even worse, most QR code apps don’t tell you what the code says before they happily send you to a target URL.

    I’m not looking forward to being QR rick-rolled.

    • Spork says:

      That is fine, as QR codes become more ‘viral’ QR code reading devices will be forced to become ‘secure’ in the sense that they will warn users of the site they’re about to visit.

      Hopefully the app makers will catch on quickly enough to where it’s not a real problem. Luckily we don’t have to get QR codes thrown at us like popups, we can simply ignore them.

  26. Erik Johnson says:

    I’m with everyone else on simply overlaying a new barcode sticker. As for the graphic overlay; this has been utilised for a while. I’ve been overlaying my EJ logo over my codes’ centres without issue for a while.

  27. umbongo says:

    we need to have an android app that programatically finds the smallest differences needed, and displays what you needed to colour in black/white. its all well and good saying its easier to print out a whole QR code, but i for one dont usually carry a printer around with me.

  28. KiDD says:

    SO I plan on getting a QRCode tattooed on my neck with all my info in it and found a website about custom QR Codes but I can’t find it now… Similar to this site: http://qrarts.com/

    Then I found EZCodes…

    They are smaller…

    Micro QR Code…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,850 other followers